Game maker Valve has confirmed that attackers unknown have penetrated the Steam digital distribution network, potentially making off with customers' personal details and credit card numbers.
While news of an attack on the Steam forums came earlier this week, Valve's internal investigation into the matter reveals that it wasn't just the forums that had been hacked. Information stored in a database linked with the Steam digital distribution platform, through which gamers can buy and download games on Windows and Mac platforms, has also been compromised.
"Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums," Valve boss Gabe Newell explains in a statement to his company's customers.
"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," Newell admits. "We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."
The attack has shades of the one that befell console gaming giant Sony earlier this year, when the personal information, including credit card details, of 100 million customers was exposed following an attack on its corporate network. Unlike Sony, however, Valve protects its customers' details by storing them in an encrypted format.
Although not guaranteed, if implemented correctly the encryption should prevent the attackers from making use of the details stored within the database.
Nevertheless, it would seem prudent for Steam users to keep an eye on their credit cards, change their passwords and be on the alert for 'phishing' via email and snail-mail from ne'er-do-wells pretending to represent Valve.
"I am truly sorry this happened, and I apologise for the inconvenience," Newell's message to customers concluded, likely offering little solace to those affected by the breach.